Someone Just Leaked The Price List for Cyberwar

On Monday, the Italian company Hacking Team, which produces secret cyber weapons for law-enforcement and government clients around the world, became the victim of an embarrassing public disclosure: more than 400 gigabytes of internal data made its way online in a widely shared torrent file. The group Reporters Without Borders has labeled Hacking Team “an enemy of the Internet,” for the surveillance tools and malware products it provides, with little transparency or accountability, to governments. News of the disclosure brought forth the sounds of schadenfreude from the privacy and tech communities.

So far, the exposed documents have already revealed a few key things about the group, its clients, and the business of cyberwar for hire.

The FBI has spent about $775,000 on the company’s Remote Control Service, or RCS, an eavesdropping system that pulls data from a target computer before it’s encrypted.

#HackingTeam told UN it didn’t sell to Sudan. This invoice for €480,000 suggests otherwise http://t.co/oatRf8SNJS pic.twitter.com/mDD8w7aVAL

— David Gilbert (@daithaigilbert) July 6, 2015

Hacking Team purports to sell its services to “law enforcement” but invoices reveal a wide assortment of unsavory clients, including the governments of Russia and Sudan, despite a UN arms embargo against the latter and contrary to previous assertions from company’s president, Christian Pozzi. It’s not clear that the company broke any laws with sales to Sudan, since surveillance software isn’t typically classified as a weapon.

Hacking Team never sold to Sudan? Here's the instructions for the 480,000 Euro wire transfer. cc @hackingteam pic.twitter.com/JqexHpvb3s

— Eva (@evacide) July 6, 2015

The company had an “action plan” for further expansion into the United States market and listed a Naval Criminal Investigative Service representative as a potential sales target.

#HackingTeam planning major moves into the United States, pursuing contracts with ATF, DOJ, Navy, RCMP, local police. pic.twitter.com/owBOLoLfpx

— Collin Anderson (@CDA) July 6, 2015

A previous disclosure from April showed that the United States Army bought an RCS system for $350,000. The most recent breach adds details: the system went to Fort Meade, but was never used, according to a (typo-ridden) email from Alex Velasco, the third-party contractor who closed the deal on behalf of Hacking Team. “They were never given permission to pull an internet line to their of?ce [sic] to install the system. (ridiculous but true!),” Velasco writes. “They also are interested in the new options that we have developed and want prices. They are not sure when we will be able to install but they believe that it could be in the next few months.”

Most incredibly, the hack brought to light the company’s price list, a blue book for surveillance and malware products. It’s a first-of-its-kind window into the going rate of cyberwar and espionage capabilities. Of the many offenses the company seems to have committed, price gouging seems to be one.

Want to hack into someone’s Windows device to steal Gmail data, turn on the microphone, and take snapshots with the camera? That’s an upfront license fee of €40,000 euros (about $44,200). Microphone recording and keystroke logging on in Mac OS will run you the same amount.

The company also sells what it calls “infection vectors,” or malware, including one product that “allows you to remotely infect Android and BlackBerry smartphones by sending specially crafted messages.” The price for that is €30,000.

Perhaps the strangest product on offer is a software-based AI agent, or “intelligence module,” that does some of the work of a real spy. The module “automatically processes all the evidence to extract and correlate the relevant bits of information, presenting you the overall picture of your investigations as it progress [sic] in time,” all for a price of €220,000.

There are a number of lessons to be learned from the breach.

“The Hacking Team case shows that international rules and controls should be applied more efficiently to private companies which are producing shady cybercapabilities and related technologies, as they are for conventional weapons,” Jarno Limnéll, a professor of cybersecurity at Aalto University in Finland, wrote in the International Business Times.

It also shows that the cyberweapons you build, or buy, can come back to haunt you.